Click here to Skip to main content
15,031,495 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I want to avoid cross script attack to a data passed as javascript in with c#. I am passing data in javascript where label data passed to the input html controls where data manipulation is being done from the pop up screen/window

document.getElementById('ctl00_cphDDS_lblSelectedOriginator').innerHtml = dialogWindow.CompanyName;

What I have tried:

Passing javascript function as below:
<pre>function showModalWindowForUtilityOIC_PAUT(cntrl) {
    if (SessionTimeOutRedirection()) {
        var Bank = document.getElementById('ctl00_cphDDS_ddlBankType').value;
        var dialogWindow = window.showModalDialog('ViewOIC.aspx?Bank=' + Bank + '&&Type=U&&InstructionCode=' + cntrl, 'mywindow', 'dialogWidth:875px; dialogHeight:400px; center:yes; status = no; toolbar = no; menubar = no');
        if (dialogWindow != null) {
            //Updated on 10.06.2019 for Cross Side Script Attack Start
            document.getElementById('ctl00_cphDDS_lblSelectedOriginator').innerHTML = dialogWindow.CompanyName;
        return true;
Updated 13-Jun-19 22:12pm

1 solution

You need to html encode the text when setting it to innerHTML. I'm not sure javascript has a built-in function to do this, but there is sample code on how to do it if you google

HTML Encode and Decode with Javascript - Strictly Software[^]
ranio 14-Jun-19 4:59am
what about using innerText instead of innerHtml
document.getElementById('ctl00_cphDDS_lblSelectedOriginator').innerText = dialogWindow.CompanyName;
F-ES Sitecore 14-Jun-19 5:08am
Try it and see

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900